none
How to use BitLocker Recovery Key file and tpm file?

    Question

  • Hello,

    I was testing with the BitLocker Drive Encryption on operation system drive of Windows Server 2008 R2. After the TPM was initialized and turned on BitLocker for system drive, I choose Save the recovery key to a USB flash drive. The system generated a BitLocker Recovery Key file and a tpm file on my USB drive. 

    What is the usage of the BitLocker Recovery Key file and the tpm file? How can I use it to unlock a system drive? If the tpm file is lost, can we still boot up the encryted system successfully?

    Thank in advance.

    Scorprio


    MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin
    Tuesday, June 08, 2010 1:22 PM

Answers

  • Hi,

    BitLocker Recovery Key file on USB device will help you boot the system when starting the computer. If it is not insert, you will be asked to either insert the USB device or input the key manually (key can be found in the txt file).

    TPM key can help turn TPM on or off.

    If TPM key is lost, you can refer the Help information in TPM management:

    mk:@MSITStore:C:\Windows\Help\mui\0409\tpmadmin.chm::/html/6d0d6ca6-0ed4-4bc3-bbab-f26edd4117d7.htm

    For further information about TPM please refer to:

    Windows Trusted Platform Module Management Step-by-Step Guide

    http://technet.microsoft.com/pt-pt/library/cc749022(WS.10).aspx

    Thursday, June 10, 2010 9:27 AM

All replies

  • Hi,

    Is there anyone here can help me?

    Thanks.


    MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin
    Thursday, June 10, 2010 1:46 AM
  • Hi,

    BitLocker Recovery Key file on USB device will help you boot the system when starting the computer. If it is not insert, you will be asked to either insert the USB device or input the key manually (key can be found in the txt file).

    TPM key can help turn TPM on or off.

    If TPM key is lost, you can refer the Help information in TPM management:

    mk:@MSITStore:C:\Windows\Help\mui\0409\tpmadmin.chm::/html/6d0d6ca6-0ed4-4bc3-bbab-f26edd4117d7.htm

    For further information about TPM please refer to:

    Windows Trusted Platform Module Management Step-by-Step Guide

    http://technet.microsoft.com/pt-pt/library/cc749022(WS.10).aspx

    Thursday, June 10, 2010 9:27 AM
  • Hi Shaon,

    Thank you very much for your help.

    I'll follow your instructiont to research it in detail.

    Scorprio


    TechNet SA Subscriber MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin
    Friday, June 11, 2010 1:27 AM
  • Follow the instructions given at http://abskb.spaces.live.com/blog/cns!8834054641A09100!1309.entry?sa=554384425
    Thursday, June 17, 2010 11:40 AM
  • To be a bit more specific,  with regards to the TPM module and the recovery key on USB, the TPM is what is used to pass the recovery key to your system to decrypt hard-drive/usb drive access. The TPM will hash the password as it passes so as not to be captured in plain text by any means.  If you disable your TPM, you will have to enter the 48 character key every time the computer is turned on.  The TPM file is used to access the TPM itself. If you turn it off or on , it verifies that you are in fact the person with the key. Keep in mind, if the TPM didn't also have a key, you could access the TPM and just grab the bitlocker recovery key and then easily access that encrypted drive.  You only need the TPM file when changing  the key or disabling the TPM. I have spent many months working with this. Let me know if I can be of any more help.

     

    Steve

    Monday, June 21, 2010 2:38 PM
  • Hi Steve,

    Thank you for your reply. This is very helpful for me.

    Scorprio


    TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin
    Tuesday, June 22, 2010 2:10 AM
  • Is there a way to save that key file to a server when Bitlocker saves the initial key during setup? If possible the way i would like to setup Bitlocker is:

    1. GPO allowing non TPM PC's to use bitlocker with a USB Key

    2. BitLocker setup runs and when prompted for a save location for the file it saves one to the USB key and a network share location Automatically.

    I have the group policies in place to save the file to a network location, and when i click on save keyfile in the Bitlocker Manager it brings up the default network share i have assigned, but is there a script or something that can retrieve the PC host name and save the key with that host name to the network share upon initial setup???

     

    thanks

    Tuesday, June 29, 2010 6:08 PM